[PATCH v2] fixes account locked when using winbind refresh tickets

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH v2] fixes account locked when using winbind refresh tickets

Samba - samba-technical mailing list
Fixes since version 1:
- Fixed README.Coding issues ("Make use of helper variables")
- Use talloc_strndup instead of strncpy()
- Fix white space in confusing pointer arithmetic.
- Use ads_idmap_cached_connection() to setup ADS_STRUCT
- Prefer the newer DBG_NOTICE over DEBUG(10)
- Add log messages that indicate when a kinit is skipped for a
particular user
- Use strtoull() instead of atoll().
- Put checks within the krb5_ticket_refresh_handler() rekinit goto
block, otherwise the new checks can be jumped over.

 source3/libads/ads_ldap_protos.h       |   2 +
 source3/libads/ldap.c                  |  27 ++++++++
 source3/winbindd/winbindd.h            |   1 +
 source3/winbindd/winbindd_cred_cache.c | 119
++++++++++++++++++++++++++++-----
 source3/winbindd/winbindd_pam.c        |   6 +-
 source3/winbindd/winbindd_proto.h      |   3 +-
 6 files changed, 138 insertions(+), 20 deletions(-)

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


0001-winbind-account-locked-when-using-winbind-refresh-ti.patch (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v2] fixes account locked when using winbind refresh tickets

Samba - samba-technical mailing list
On Friday, 12 January 2018 22:08:19 CET David Mulder via samba-technical
wrote:

> Fixes since version 1:
> - Fixed README.Coding issues ("Make use of helper variables")
> - Use talloc_strndup instead of strncpy()
> - Fix white space in confusing pointer arithmetic.
> - Use ads_idmap_cached_connection() to setup ADS_STRUCT
> - Prefer the newer DBG_NOTICE over DEBUG(10)
> - Add log messages that indicate when a kinit is skipped for a
> particular user
> - Use strtoull() instead of atoll().
> - Put checks within the krb5_ticket_refresh_handler() rekinit goto
> block, otherwise the new checks can be jumped over.
>
>  source3/libads/ads_ldap_protos.h       |   2 +
>  source3/libads/ldap.c                  |  27 ++++++++
>  source3/winbindd/winbindd.h            |   1 +
>  source3/winbindd/winbindd_cred_cache.c | 119
> ++++++++++++++++++++++++++++-----
>  source3/winbindd/winbindd_pam.c        |   6 +-
>  source3/winbindd/winbindd_proto.h      |   3 +-
>  6 files changed, 138 insertions(+), 20 deletions(-)

Please initialise *all* pointers with NULL.

In ads_pull_uint64()

char **values = NULL;

if (values != NULL)
..

if (values[0] != NULL)


in fetch_last_password_change()

bool ok;

ok = ads_pull_uint64(..);
if (!ok)

in the other functions

uint64_t last_pw_chg;

last_pwd_chg = fetch_last_password_change();
if (last_pw_chg != 0)
..

and also for the next fetch_last_password_change call use a helper variable.


        Andreas